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November 20, 2012 

The President 
The White House 
1600 Pennsylvania Avenue 
Washington, D.C. 20500 

Dear Mr. President: 

The Controlled Unclassified Information (GUI) Office of the National Archives and Records 
Administration (NARA) is pleased to submit its second annual report on the implementation of 
Executive Order 13556, "Controlled Unclassified Information” [the Order) in NARA’s capacity as the 
Executive Agent for CUE This report covers CUI program development from October 1, 2011 to 
September 30, 2012 [FY2012). The submission of this Report occurs while we are formalizing 
comprehensive program guidance for submission to the federal rule-making process. 

Per the requirements set forth in the Order, the Executive Agent published the online CUI Registry 
on November 4, 2011. At this writing, the Registry includes 22 categories, 85 associated sub- 
categories and 464 authority citations based on more than 2,200 agency submissions from 
departments and agencies across the Executive branch. 

During FY2012, the Executive Agent continued its collaboration with stakeholders using 
overlapping timelines and an iterative strategy to develop program guidance to prescribe practices 
for safeguarding, dissemination, decontrol and marking of CUI. These policy elements will be 
incorporated into the CUI Registry to provide a central repository for common definitions and 
protocols for marking, and procedures for properly safeguarding, disseminating, and decontrolling 
unclassified information. 

Ongoing outreach by the Executive Agent aims to ensure full participation of Executive branch 
departments and agencies by engaging senior leadership in dialogue to directly address individual 
agency interests and concerns. 

Deliberate, continuous effort will be required for successful CUI implementation. The Executive 
Agent is well positioned to serve as a resource for departments and agencies to ensure coordination 
and proper implementation of the Order throughout the Executive branch. 

Respectfully, 




Director, Information Security Oversight Office 
National Archives and Records Administration 
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CONTROLLED UNCLASSIFIED INFORMATION (CUI) 



BACKGROUND 

Historically, Executive departments and 
agencies have employed ad-hoc, agency- 
specific policies, procedures, and markings to 
safeguard and control the dissemination of 
Sensitive But Unclassified (SBU) information. 
As a result, more than 100 different policies 
and markings have evolved for handling such 
information across the Executive branch. 

This inefficient, confusing patchwork system 
has resulted in inconsistent marking and 
safeguarding of documents, led to unclear or 
unnecessarily restrictive dissemination 
policies, and created impediments to 
authorized information sharing. 

The goal of the Controlled Unclassified 
Information (CUI) program is to standardize 
the way the Executive branch handles such 
information while emphasizing and 
enhancing the openness, transparency, and 
uniformity of government-wide practices. 
Executive Order 13556, "Controlled 
Unclassified Information,” November 4, 2010 
(the Order) 1 established the CUI program and 
designated the National Archives and Records 
Administration (NARA) as its Executive Agent 
(EA). NARA established the CUI Office, within 
the Information Security Oversight Office, to 
manage the program and fulfill EA 
responsibilities per the Order. 



^ Executive Order 13556 "Controlled Unclassified 
Information," dated November 4, 2010. 



On June 9, 2011, the EA issued "Controlled 
Unclassified Information (CUI) EA Notice 
2011-01: Implementation Guidance for 
Executive Order 13556”2 to provide baseline 
requirements for agency-specific CUI policies 
and procedures and to support uniformity of 
government-wide practice as it pertains to 
unclassified information. Also during 
FY2011, federal departments and agencies 
reviewed their respective SBU information 
practices and submitted to the EA those 
categories and subcategories that the 
department or agency would like to continue 
to employ. 



^ "Controlled Unclassified Information (CUI) EA 
Notice 2011-01: Implementation Guidance for 
Executive Order 13556," dated June 9, 2011. 
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SUMMARY OF FY2012 PROGRAM ACTIVITY 



REGISTRY 

During FY2012, the EA reviewed more than 
2,200 proposed category and subcategory 
submissions from 47 departments and 
agencies. Similar proposals were 
consolidated to eliminate redundancies and 
provide consistency among like categories. 
The EA led interagency discussions to 
establish an Executive branch-wide initial 
structure of 16 approved categories and 74 
associated subcategories for GUI, based on 
398 unique safeguarding, dissemination and 
sanction citations in law, regulations, and 
government-wide policies. These categories 
and subcategories were published in the 
online GUI Registry on November 4, 2011. 
Nearly 6,000 visits were logged to the 
Registry during FY2012.3 



Following initial launch, the EA continues to 
review requests for additional GUI categories 
and subcategories, verifying authorization in 
law, regulation or government-wide-policy, 
incorporating or adding categories, 
subcategories, and authorities to the Registry 
as needed. When fully developed, the Registry 
will reflect all approved categories, 
subcategories and markings, along with 
applicable safeguarding, dissemination, and 
decontrol procedures. 



^ Registry visit data provided by WebTrends Analytics 
8™; report created on Tuesday, October 9, 2012. 
WebTrends Reporting Center is a web site analysis 
and tracking tool that delivers real-time, accurate, 
aggregated data regarding visitors' use of web sites 
maintained on NARA servers. 
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SUMMARY OF FY2012 PROGRAM ACTIVITY 



Sample 

CUI Registry Detail 



CUI Registry 

Category-Subcategory Authorities 



Category- Su bcategory: 


Patent- 1 nvention 


Category Description: 


Patent is a property right granted by the Government of the United States of 
America to an inventor "to exclude others from making, using, offering for saie, or 
soiling the invention throughout the United States or importing the invention into 
the United States" for a limited time in exchange for public disciosure of the 
invention when the patent is granted. 


Subcategory Description: 


An invention is any art or process (way of doing or making things), machine, 
manufacture, design, or composition of matter, or any new and useful 
improvement thereof, or any variety of plant, which is or may be patentable under 
the patent laws of the United States, in which the federal government owns or may 
own a right, title, or interest. 



Select Safeguarding/Dissemination or Sanction Authority to view statutory/regulatory language in a new window. 
Authority links are updated based on regular re-publication of the United States Code and Code of Federal Regulations. 



Safeguarding and/or Dissemination Authority 


Sanctions 


35 use 205 


35 use 186 
35 use 187 


48 CFR 27.302 




48 CFR 27.305-4 





PDF files require the free Adobe Reader. 



More information on Adobe Acrobat PDF files is available on our Accessibility page. 



Figure 1 
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SUMMARY OF FY2012 PROGRAM ACTIVITY 



POLICY 



Beginning in December 2011, the EA began 
focusing on supplemental policy development 
to prescribe practices for safeguarding, 
dissemination, decontrol, and marking of GUI. 
To promote the fullest participation of 
stakeholder agencies' subject matter experts, 
each policy component was introduced along 
a progressive timeline that interspersed: 

• Working group discussions 

• Surveys of current agency practices 

• Consolidation/Aggregation of 
Executive branch-wide practices 

• Policy drafting 

• Informal agency comment/EA 
adjudication (minimum 2 rounds per 
policy element) 

• Policy integration/editing 



This iterative strategy was launched in March 
2012. The EA hosted semi-monthly working 
group meetings to provide status updates and 
promote collaborative review. A timeline of 
policy development activities, extending into 
FY2013, is diagrammed in the fold-out insert 
of this report. 

In addition, the EA has continued to 
collaborate with the National Institute of 
Standards and Technology (NIST) regarding 
the nexus of proposed GUI policy with NIST 
standards for federal information and 
information systems. 
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CUI POLICY DEVELOPMENT TIMELINE 
MARCH 2012 - SEPTEMBER 2012 
and 

OCTOBER 2012 - FEBRUARY 2013 (projected) 



SAFEGUARDING 


< 


Semi-Monthly Inter-Agency Working Group Meetings 


> 


Inter-Agency 
Meeting re:CUI-NIST 
collaboration 


Policy Draft 1 


Agency Comment 1 


Agency Practices 
Survey 


Agency Practices 
Survey, Policy 

Draft 2 


Agency Comment 2 



DISSEMINATION 


<- 


Semi-Monthly Inter-Agency Working Group Meetings 


-> 


Agency Practices 
Survey 




Policy Draft 1, 
Agency Comment 1 


Policy Draft 2 


Agency Comment 2 
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DECONTROL 




< — Semi-Monthly Inter-Agency Working Group Meetings — > 


Agency Practices 
Survey 


Policy Draft 1 


Agency Comment 1, 
Policy Draft 2 


Agency Comment 2 






MARKING 




< — Semi-Monthly Inter-Agency Working Group Meetings — > 


Agency Practices 
Survey 


Agency Comment 1 


Policy Draft 1 


Agency Comment 2, 
Policy Draft 2 
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Information 



POLICY CONSOLIDATION AND FINALIZATION 



■ Monthly Inter-Agency Working Group Meetings 



Policy Draft 1 


Agency Comment 1 




(Safeguarding, 


(Safeguarding, 


Policy Draft 2 


Dissemination, 


Dissemination, 


(Complete) 


Decontrol) 


Decontrol) 





Agency Comment 2 
+ Non-Federal 
Comment 



Policy Document for 
Formal Comment 
and Rule-Making 
Process 



Rule-Making 

Process 





SUMMARY OF FY2012 PROGRAM ACTIVITY 



OUTREACH 

On November 22, 2011, the EA and the Office 
of Information Policy at the Department of 
Justice issued Guidance Regarding GUI and the 
Freedom of Information Act in response to 
inquiries regarding the relationship between 
GUI and the Freedom of Information Act, and 
to provide additional clarity as to the intent of 
policy references. 

Contacts between international and 
American colleagues provide benefits from 
shared insights and lessons learned. In 
February 2012, the Information Security 
Oversight Office (ISOO) hosted British 
government representatives for policy 
discussions and meetings concerning reforms 
under consideration for the United Kingdom's 
(UK) security system for unclassified and 
classified information. At a follow-up 
meeting in June 2012, a comparative analysis 
between the GUI program and current work 
by the UK government to reform British 
information security policy was presented to 
representatives from the UK Cabinet Office, 
Ministry of Defense, and Home Office. 



The EA continued to interact with 
stakeholder agencies and listen to their 
concerns. Given that the GUI Directive is in 
draft form, continued outreach also aimed to 
ensure full participation by stakeholders. A 
significant effort was made to engage all 
cabinet level departments and represented 
offices. Given their position in the President's 
cabinet and their influence over policy, these 
stakeholders have the greatest ability to 
affect the overall implementation of the GUI 
program. Their participation in the program 
sets an example for independent agencies and 
other organizations throughout the Executive 
branch. On the basis of in-depth research 
conducted on the interests and concerns of 
stakeholder agencies and, through a series of 
visits and discussions, the GUI EA engaged 
and met with senior leadership of 15 cabinet 
level departments and 3 represented offices, 
in addition to a number of independent 
agencies and intergovernmental 
organizations. 

The EA also expanded opportunities to 
involve and inform critical non-Federal 
partners by representing the program at 
conferences, symposiums, and meetings for a 
range of audiences, including federal, state, 
local, and tribal governments, the private 
sector, law enforcement, military, academic, 
and public interest entities. Each outreach 
event provided opportunities for 
stakeholders to learn more about GUI, ask 
questions regarding implementation, and 
provide feedback or recommendations on 
how to improve the overall GUI program. 
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SUMMARY OF FY2012 PROGRAM ACTIVITY 



COMPLIANCE PLANS 



Departments and agencies were requested to 
submit their initial plans for compliance with 
the Order to the EA no later than December 6, 
2011, addressing GUI governance, policy, 
training, technology, and self-inspection 
requirements. By the end of the reporting 
period, the EA had received over 50 
compliance plans. The EA evaluated target 
dates to establish phased implementation of 
their GUI programs. Such evaluations were 
made on the basis of continued consultation 
with affected agencies and the Office of 
Management and Budget, as required by 
section 5(b) of the Order. 



The EA recognizes that department and 
agency proposed target dates for 
implementation will likely require revision in 
light of forthcoming program guidance, 
anticipated for FY2013 publication as a 
federal rule. Upon issuance of such guidance, 
agencies will be afforded the opportunity to 
submit updated compliance plans to include 
revised proposed interim target dates for 
implementation. Departments and agencies 
are reminded that CUI categories may not be 
used until the phased implementation for 
marking is set, and markings are approved 
and published in the CUI Registry. 



Agency CUI Compliance Plans 




Processes, policies, roles and 
responsibilities established to guide and 
direct the program and its requirements 



Processes and 
procedures of 
continuous monitoring 
to ensure compliance 
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Development, 

implementation and revision 
of properly documented 
policies that are readily 
available to all affected 
personnel 



Identify and assess 
requirements of IT systems 
and toolsets for program 
implementation 





Education of affected personnel on 
the appropriate handling of 
information including responsibilities 
and ongoing maintenance 



Figure 2 
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SUMMARY OF FY2012 PROGRAM ACTIVITY 



WEBSITE 

The CUI website is maintained on an ongoing 
basis to reflect the background, current status 
and anticipated progression of the CUI 
program, as well as regular updates to the 
United States Code and Code of Federal 
Regulations for cited authorities in the CUI 
Registry. The CUI website can be accessed at 
http://www.archives.gov/cui/ . 



In addition to the CUI Registry, the website 
includes a CUI program chronology, 
milestones, annual reports and other EA 
issuances, training, frequently asked 
questions, and department/agency resources. 
14,835 users accessed the CUI website 20,712 
times in FY2012, a visitor increase of 41.33% 
and visit increase of 34.83% over FY2011.4 



FY2012 CUI Website Visits 
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■ Visits 

■ Visitors 



2011 2012 



Figure 3 



^ Website visitor data provided by WebTrends 
Analytics 8™; report created on Tuesday, October 9, 
2012. WebTrends Reporting Center is a web site 
analysis and tracking tool that delivers real-time, 
accurate, aggregated data regarding visitors' use of 
web sites maintained on NARA servers. 
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NEXT STEPS 



MOVING FORWARD 

The EA will continue the policy development 
cycle described above to maintain full 
engagement of Executive branch departments 
and agencies as the EA continues to integrate 
and consolidate all policy elements. Input 
from non-federal stakeholders will all be 
considered as the EA completes 
comprehensive program guidance for 
submission to the federal rule-making 
process. 

The GUI Registry will be updated to include 
common definitions and protocols for 
describing how unclassified information 
should be marked, and what procedures 
should be followed for properly safeguarding, 
disseminating, and decontrolling unclassified 
information, based on law, regulation, and 
government-wide policy. Providing clear and 
readily accessible direction will promote 
better protection and sharing of unclassified 
information both internally and externally. 

Following the iterative strategy of policy 
development, the EA plans to develop 
training modules for each policy component: 
safeguarding, dissemination, decontrol and 
marking. Training for Controlled Unclassified 
Information (CUI) and the Freedom of 
Information Act (FOIA is expected to launch 
early in FY2013. Training modules are 
designed for users at all levels and are 
publicly available at the CUI website for 
either direct access or download. 



Agency heads are required to establish and 
manage an agency CUI program that develops 
and implements agency procedures, roles, 
and responsibilities regarding CUI in 
accordance with Executive Order 13556. Such 
programs must provide training for affected 
personnel regarding implementation and 
maintenance of the agency's CUI program, 
and include a self-inspection program to 
ensure compliance with the Order. The EA 
will serve as a resource for departments and 
agencies to ensure coordination and 
implementation of CUI policy throughout the 
Executive branch. Outreach efforts will 
continue, with particular attention to 
stakeholder agencies that are newer to the 
CUI effort. 

The goal of the EA is to establish a program 
that standardizes Executive branch practices 
for handling unclassified information that 
requires safeguarding or dissemination 
controls, pursuant to and consistent with 
applicable law, regulations, and government- 
wide policies. The CUI program will 
emphasize openness, transparency, and 
uniformity in government-wide practices. 
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